Cryptography Basics
Previous | Table of Contents | Next |
Security Baselines and Operating System, Network and Application Hardening | An Overview of Public Key Infrastructures (PKI) |
Purchase and download the full PDF and ePub versions of this Security+ eBook for only $8.99 |
An essential component of IT security involves the use of cryptography. In this chapter we will look at the basics of cryptography and provide an overview of a number of different types of cryptography.
What is Cryptography?
Cryptography describes a process of encrypting information so that its meaning is hidden from those who do not know how to decrypt the information. The concept of cryptography began around the same time that humans learned to communicate language through the written word. Over time many different approaches to cryptography have been used ranging from basic shifting of alphabetical letters to complex mechanical and electronic encryption methods.
It is impossible to overemphasize the importance of cryptography, both in the past and in the context of today's high tech world. The ability to break the encryption used by opposing sides in wars has shifted the balance of power in the world, and without cryptography in computing it would be impossible to perform tasks we take for granted such as securely purchase items on the internet or remotely log into servers from outside a company firewall. Even credit cards would not exist if there was no way to encrypt the data stored on the magnetic strips.
Algorithms
A cryptographic algorithm (also known as a cipher) is a step by step sequence of mathematical calculations used to encrypt and decrypt information. There are currently three different types of cryptographic algorithms; hashing algorithms, symmetric-key algorithms and asymmetric key algorithms.
Hashing Algorithms
A hash is a mathematical algorithm designed to perform one-way encryption. When we say one-way we mean that once the information has been encrypted there is no way to retrieve the original information from the hashed form. Hashing is commonly used in password files and for ensuring the integrity of data. As an example, a hash may be created for an email message in the form of a Message Authentication Code (MAC). When the message is received the receiver would also generate a hash from the message. If the recipient's hash matches the code which accompanied the message the receiver knows the message is authentic and has not been tampered with during transmission.The two most common hash methods are as follows:
- Message Digest Service Algorithm - The message digest family of encryption algorithms provides encryption of 128-bits in strength and is designed to be fast and simple. Current standards are MD2, MD4 and MD5.
- Secure Hash Algorithm - SHA is used extensively by the US government and was developed by the National Security Agency (NSA). Two version of SHA have so far been developed - SHA and SHA1. SHA1 provides 160-bit hashing. SHA-1 is more secure than MD5 but involves a slower encryption process.
Symmetric Encryption Algorithms
Symmetric encryption is one of the most basic forms of cryptography and is based on the premise that both the sending and receiving parties are in possession of the key used to encrypt the data (otherwise known as shared secret encryption).
Symmetric key encryption is performed using two methods, block cipher and stream cipher. As the names suggest, block ciphers encrypt data in sections of bits whereas a stream cipher encrypts data one bit at a time until the entire message is encrypted.
A wide variety of symmetric key algorithms are currently in use, the most prevalent of which are described below.
Data Encryption Standard (DES)
DES was originally developed in the 1970's at the behest of the National Bureau of Standards (NBS), now known as the National Institute of Standards and Technology.
DES is a block cipher and encrypts data in 64-bit units using a key length of 56-bits. As with other symmetric encryption algorithms, DES uses the same key and algorithm for both encryption and decryption.
Triple DES (3DES)
As may be inferred from the name, 3DES (pronounced Triple Des) is an adaptation of DES. Unlike DES, 3DES uses either 2 or 3 keys and executes three passes through the algorithm to provide multiple encryption resulting is a total bit strength of 168-bits.
Advanced Encryption Standard (AES)
In recognition that technological advancements were making DES and 3DES encryption vulnerable to attack the National Institute of Standards and Technology (NIST) issued a request for proposal for a new encryption standard to be called the Advance Encryption Standard (AES) which was to use symmetric key cryptography in 128, 192 and 256-bit key strengths. A variety of groups responding with proposals and the NIST ultimately chose an offering put forward by John Daemon and Vincent Rijmen. AES is a block cipher and encrypts data in 128-bit units and uses multiple encryption techniques.
Blowfish
Developed in 1994 by Bruce Schneier, Blowfish is a block cipher working in 64-bit units with key lengths from 32-bits up to 448-bits. Under Blowfish, each 64-bit block is divided into two 32-bit words. Although weaker versions are available, the full strength version of Blowfish performs 16 rounds of encryption on each 32-bit word. So far no one has succeeded in breaking full strength blowfish encryption.
International Data Encryption Algorithm (IDEA)
IDEA began life as the Proposed Encryption Standard (PES) and subsequently evolved into the Improved Proposed Encryption Standard (IPES). After further refinement IPES became IDEA in 1992. IDEA encrypts data in 64-bit blocks using a 128-bit key. Each block is divided into four 16-bit segments and the execution of eight rounds.
CAST
Developed by Carlisle Adams and Stafford Taveres, CAST uses a 64-bit block for 64-bit and 128-bit key size variants and 128-bit block sizes for the 256-bit key version.
Rivest Cipher (RC2, RC3, RC4, RC5, RC6)
The RC family of ciphers was developed by Ron Rivest. RC1 and RC3 were never released leaving five variants in current use.
- RC2 supports a key size of up to 1,024-bits with a fixed block size of 64-bits.
- RC4 is a stream cipher developed in 1984 (before RC5 and RC6) and was used secretly by the NSA until 1994. RC4 supports key sizes between 8 and 2,048 bits
- RC5 is a block cipher supporting variable key sizes, block sizes and number of rounds.
- RC6 is a variation of RC5 using 128-bit block sizes and key size options of 128, 192 and 256-bits.
Asymmetric Algorithms
The concept Asymmetric Encryption (also known as Public Key Encryption) was devised in 1975 by Whitfield Diffie and Martin Hellman and is based on the concept of using a pair of keys, one private and one public. The private key is held by the host or application which is to receive the encrypted data. The corresponding public key is made available to anyone who wishes to encrypt data such that it can be decrypted by the holder of the private key. The cornerstone of public key encryption is the level of difficulty involved in inferring the private key from the public key.
The advantage of asymmetric over symmetric encryption is that the public key can be safely transmitted over public networks without the risk that its interception will compromise encrypted data. The same cannot, however, be said about symmetric encryption.
A vast number of asymmetric encryption mechanisms have been developed since the Diffie and Hellman invented the concept over 30 years ago. In this chapter we will look at the most commonly used algorithms.
RSA
First published in 1977, RSA is named after the last names of its three inventors (Ron Rivest, Adi Shamir and Leonard Adleman) and is used for both encryption and digital signatures.
The algorithm works by multiplying two very large prime numbers (ideally between 100 and 200 digits in length and of equal length). Through further mathematical calculations public and private keys are derived.
Diffie-Hellman
Created by the inventors of public key encryption, Diffie-Helman is one of the most common encryption protocols in current use and forms the basis of the Secure Sockets Layer (SSL), Secure Shell (SSH) and IPsec protocols and provides a mechanism for two parties who have not previously communicated to share a secret key.
ElGamal
Developed in the 1980s by Tehar ElGamal, ElGamal is an extension to Diffie-Helman specifically targeted at the encryption of digital signatures.
Elliptic Curve Cryptography (ECC)
ECC works on the premise that elliptic curves can be utilized to calculate encryption keys which are difficult to break. The concept of ECC is based on the fact that you can add two points on a curve to arrive at a third point. Two parties wishing to communicate agree on a curve and a point on that curve and perform a number of calculations to arrive at public and private keys.
Cryptography Usage
Now that we have covered the basics of the different cryptography categories and algorithms the next step is to look at some of the uses of cryptography within the context of information technology. Many people associate encryption with the obfuscation of information to keep it from being compromised by unauthorized parties. Whilst this is a very common use of encryption it is by no means the only use.
Confidentiality
When we refer to confidentiality we are talking about the use of encryption techniques on data to avoid it being accessed by unauthorized parties. Encryption for the purposes of ensuring confidentiality can be applied both to transmitted data (such as data sent over a public network) and stored data (such as information stored on a hard drive or portable storage device).
Integrity
Also referred to as message integrity this use of cryptography provides a mechanism to verify that a message has not been modify on its journey between the sender and the recipient. This is commonly achieved through the use of digital signatures and one-way hash functions.
Nonrepudiation
Nonrepudiation is the name given to a technique by which the sender is unable to subsequently deny having sent a message. This is particularly important in the sending of financial instructions. A trader may, for example, send a broker instructions to buy shares shortly before a market crash. In a panic at having bought shares at significantly more than their new value the trader may try to deny having sent the buy order to the broker. Nonrepudiation works on the basis that only the sender is in possession of his or her private key. When the sender uses a private key to sign the message and the recipient uses the sender's public key to successfully verify the signature it essentially proves the message was sent by the owner of the private key.
Authentication
Authentication is the concept of proving user identity, typically in or to establish communication order to gain access to a system or network.
The most basic form of authentication involves the use of a login name and password. Another form of authentication involves the use of digital certificates (for example when accessing secure web sites).
Digital Signatures
Digital signatures are based on a combination of asymmetric cryptography and hash functions and are commonly used for signing digital documents and ensuring that downloaded applications are provided by a trusted source.
Once a document has been signed with a digital signature it is essential that a message digest be created using a hash function. This ensures that if the document is modified the change will be detected because the hash will fail verification by the recipient. Asymmetric encryption is also used to verify that the signature was indeed signed by the apparent document sender. To achieve this the hash is typically encrypted using the senders private key. If the recipient is able to decrypt the hash using the senders public key then the message is deemed to be authentic. It will not go unnoticed to those who have read the previous sections that this involves authentication, integrity and nonrepudiation.
Purchase and download the full PDF and ePub versions of this Security+ eBook for only $8.99 |
Previous | Table of Contents | Next |
Security Baselines and Operating System, Network and Application Hardening | An Overview of Public Key Infrastructures (PKI) |